When engaging with technical support, it is critical to provide all the necessary logs to increase the speed and effectiveness of the troubleshooting process. This article attempts to provide step-by-step instructions on what logs to collect and how to collect them when dealing with SPA VPN tunnel issues prior to engaging Fortinet Support -Â Welcome to Fortinet Support.
Follow the steps to collect necessary data when addressing SPA issues like tunnel or routing failures to facilitate engagement with Fortinet technical support.
FortiSASE.
Step 1 - Verify Tunnel Status and BGP Routing.
Collect screenshots of the IPsec tunnel status and the BGP Peering State of the FortiSASE PoP(s) in question under Operations -> Secure private Access -> tunnel_name -> Health.Â
Collect a screenshot of advertised routes for selected PoP(s): select FortiSASE PoP and click on View Learned BGP Routes.
Confirm all routes are propagated as expected. Take a screenshot.
Step 2 - Verify and Export VPN Events.
Export VPN events from under Operations -> Events -> Tunnel Events. Optionally, filter hub's tunnel IP (can be retrieved from the previous step as a Remote Gateway IP).Â
FortiGate Hub.
Step 3 - Retrieve Configuration File.
Collect FortiGate Hub backup file so technical support can review configuration.
Step 4 -Â Verify IPsec Tunnel Status.
Run the following commands and save output to a text file:
get vpn ipsec tunnel summary
diagnose vpn tunnel list name <advpn-name>
diagnose vpn ike gateway list
Then, run the following diagnostic commands to record tunnel negotiation process:
diagnose vpn ike log filter rem-addr4 <FortiSASE PoP Address>
diagnose debug application ike -1
diagnose debug enable
Step 5 - Verify BGP Routing State.
Run the following command to check BGP neighbors' info:
get router info bgp summary
Established is a working status while Idle or Active indicate an issue.
Verify routes shared and received:
get router info bgp neighbors <neighbor-IP> advertised-routes
get router info bgp neighbors <neighbor-IP> received-routes
Check the FortiGate Routing Table:
get router info routing-table all
Capture BGP negotiation data:
diagnose ip router bgp all enable
diagnose ip router bgp level info
diagnose debug enable
To disable BGP debugging, run the commands below:
diagnose ip router bgp all disable
diagnose ip router bgp level none
diagnose debug disable
diagnose debug reset
Step 6 - Generate TAC Report.
Run the following command on FortiGate to generate TAC report.
execute tac report
Step 7 - Engage Technical Support.
After all the data as described above has been collected, engage technical support by opening a ticket and attach the files to the case.
In summary, the following files are expected in the ticket:
Tunnel status and BGP states screenshots (step 1). FortiSASE VPN events (step 2). FortiGate Hub configuration file (step 3). FortiGate CLI output with tunnel connection status and IKE diagnostics (step 4). FortiGate CLI output with BGP routing states and negotiations (step 5). FortiGate TAC Report (step 6).
| 
